[openssl.org #480] Support for local ip address binding for connect BIO's.
Hi, Hereby i'd like to request the the support for local (source) ip address binding in bio_conn.c. This should be fairly easy to implement and allows a connection BIO to connect from (bind to) a specific source ip address. This functionality is typically preferred on systems with multiple ip addresses. Currently i need to patch bio_conn for this which is a lot of hassle. In my personal opinion it's functionality which should be default supported by the library. It's an elemtry step in setting up a socket connection. Regards, Sieds Aalberts _ Overloaded with spam? With MSN 8, you can filter it out http://join.msn.com/?page=features/junkmailpgmarket=en-gbXAPID=32DI=1059 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #479] support version independent upgrade
In message [EMAIL PROTECTED] on Mon, 27 Jan 2003 23:33:24 +0100 (MET), [EMAIL PROTECTED] via RT [EMAIL PROTECTED] said: rt Actually, I'd prefer that I wouldn't have to relink and rt redistribute my application every time a security patch comes out rt for OpenSSL. I haven't seen any issues in our application rt upgrading from 0.9.6 to 0.9.7 using this non version technique on rt our local development nodes. If all you wanted was security patches, you upgrad to the next patch level of 0.9.6. 0.9.7 contains a lot more changes than just security patches. Also, as a very simple test, I built 0.9.6h and 0.9.7 with shared support, but made sure I linked the 0.9.7 test suite against the 0.9.6h libraries. Then I ran them. Kaboom (I don't recall exactly where, I did it some time ago...). So if *you* haven't had any issues, count your blessings and don't make any changes to your applications. Unfortunately, since it's easily proven that there's a risk of mysterious crashes, we can't support your claim. Sorry. rt The version technique doesn't just prevent backward compatibility rt but it prevents users from getting potential security upgrades rt that *may* work just fine. It's definitely not a desirable rt distribution scenario as it sits now. It forces developers to do rt relinks and redistribute whether they're needed or not. I agree that the current situation isn't optimal for shared libraries. What would you do in our place (and please look outside your particular sandbox, and think of all the reports of mysterious crashes that will flow in to us (which they sometimes do for systems like Windows, where there is no versioning). Basically, place yourself in our shoes). -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #479] support version independent upgrade
In message [EMAIL PROTECTED] on Mon, 27 Jan 2003 23:33:24 +0100 (MET), [EMAIL PROTECTED] via RT [EMAIL PROTECTED] said: rt Actually, I'd prefer that I wouldn't have to relink and rt redistribute my application every time a security patch comes out rt for OpenSSL. I haven't seen any issues in our application rt upgrading from 0.9.6 to 0.9.7 using this non version technique on rt our local development nodes. If all you wanted was security patches, you upgrad to the next patch level of 0.9.6. 0.9.7 contains a lot more changes than just security patches. Also, as a very simple test, I built 0.9.6h and 0.9.7 with shared support, but made sure I linked the 0.9.7 test suite against the 0.9.6h libraries. Then I ran them. Kaboom (I don't recall exactly where, I did it some time ago...). So if *you* haven't had any issues, count your blessings and don't make any changes to your applications. Unfortunately, since it's easily proven that there's a risk of mysterious crashes, we can't support your claim. Sorry. rt The version technique doesn't just prevent backward compatibility rt but it prevents users from getting potential security upgrades rt that *may* work just fine. It's definitely not a desirable rt distribution scenario as it sits now. It forces developers to do rt relinks and redistribute whether they're needed or not. I agree that the current situation isn't optimal for shared libraries. What would you do in our place (and please look outside your particular sandbox, and think of all the reports of mysterious crashes that will flow in to us (which they sometimes do for systems like Windows, where there is no versioning). Basically, place yourself in our shoes). -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #481] (0.9.7 on Win32) openssl ca crashes when exiting...
Hi there ! I thought this was worth mentioning: Very reproducably, openssl ca crashes each time when having finished the job. (Worked in 0.9.6x) Here's some info for the bug report: System(s): Win98SE/WinNT4.0Sp6 on INTEL(PIII, 666Mhz and others), MSVC++6Sp5, Version 12.00.8804 OpenSSL: OpenSSL 0.9.7 31 Dec 2002 built on: Thu Jan 23 09:11:54 2003 platform: VC-WIN32 options: bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(idx) compiler: cl /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll -DOPENSSL_NO_KRB5 OPENSSLDIR: ./. OpenSSL 0.9.7 31 Dec 2002 built on: Thu Jan 23 09:44:10 2003 platform: VC-WIN32 options: bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfis h(idx) compiler: cl /MDd /W3 /WX /Zi /Yd /Od /nologo -DOPENSSL_SYSNAME_WIN32 -D_DEBUG -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -DDEBUG -DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_A SM -DRMD160_ASM /Fdout32dll -DOPENSSL_NO_KRB5 OPENSSLDIR: ./. and a stack trace: _free_dbg_lk(void * 0x5000, int 1) line 1044 + 48 bytes _free_dbg(void * 0x5000, int 1) line 1001 + 13 bytes free(void * 0x5000) line 956 + 11 bytes CRYPTO_free(void * 0x5000) line 364 + 10 bytes ASN1_STRING_free(asn1_string_st * 0x) line 390 + 21 bytes ASN1_primitive_free(ASN1_VALUE_st * * 0x00fd32f4, const ASN1_ITEM_st * 0x004df078 local_it) line 224 + 11 bytes asn1_item_combine_free(ASN1_VALUE_st * * 0x00fd32f4, const ASN1_ITEM_st * 0x004df078 local_it, int 0) line 100 + 13 bytes ASN1_template_free(ASN1_VALUE_st * * 0x00fd32f4, const ASN1_TEMPLATE_st * 0x004df7f4) line 175 + 28 bytes asn1_item_combine_free(ASN1_VALUE_st * * 0x0076f31c, const ASN1_ITEM_st * 0x004df850 local_it, int 0) line 151 + 13 bytes ASN1_item_free(ASN1_VALUE_st * 0x00fd32f0, const ASN1_ITEM_st * 0x004df850 local_it) line 71 + 15 bytes X509_NAME_ENTRY_free(X509_name_entry_st * 0x00fd32f0) line 78 + 18 bytes sk_pop_free(stack_st * 0x00fe0860, void (void *)* 0x0046b597 X509_NAME_ENTRY_free(X509_name_entry_st *)) line 290 + 16 bytes x509_name_ex_free(ASN1_VALUE_st * * 0x00fdf66c, const ASN1_ITEM_st * 0x004df8b0 local_it) line 144 + 16 bytes asn1_item_combine_free(ASN1_VALUE_st * * 0x00fdf66c, const ASN1_ITEM_st * 0x004df8b0 local_it, int 0) line 130 + 29 bytes ASN1_template_free(ASN1_VALUE_st * * 0x00fdf66c, const ASN1_TEMPLATE_st * 0x004decc4) line 175 + 28 bytes asn1_item_combine_free(ASN1_VALUE_st * * 0x00fdf6c0, const ASN1_ITEM_st * 0x004deda8 local_it, int 0) line 151 + 13 bytes ASN1_template_free(ASN1_VALUE_st * * 0x00fdf6c0, const ASN1_TEMPLATE_st * 0x004ded68 X509_seq_tt) line 175 + 28 bytes asn1_item_combine_free(ASN1_VALUE_st * * 0x0076f44c, const ASN1_ITEM_st * 0x004dedc8 local_it, int 0) line 151 + 13 bytes ASN1_item_free(ASN1_VALUE_st * 0x00fdf6c0, const ASN1_ITEM_st * 0x004dedc8 local_it) line 71 + 15 bytes X509_free(x509_st * 0x00fdf6c0) line 125 + 18 bytes sk_pop_free(stack_st * 0x00fdc470, void (void *)* 0x0045441c X509_free(x509_st *)) line 290 + 16 bytes ca_main(int 0, char * * 0x00fb06c8) line 1636 + 17 bytes do_cmd(lhash_st * 0x00fd2c80, int 9, char * * 0x00fb06a4) line 379 + 14 bytes main(int 9, char * * 0x00fb06a4) line 298 + 20 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! bff8b560() KERNEL32! bff8b412() KERNEL32! bff89dd5() And (while i'm at it) another thing to mention: I'm using openssl with stunnel. When i'm running stunnel as a service, RAND_poll in rand_win.c can't work, as it needs features not available under the SYSTEM account without a user logged in (i.e. the UI features) so it dropped all the stuff except for the CryptAcquireContext when building the service version. Although i'm totally dependent on MS-randomness now, everything works fine when runing as service now. And yet another thing: Usage of RAND_file_name() isn't working for a service-app with no logged-on user, too, when no filename is specified. After trying to get a filename from the environment (where none is defined), filename is filled with rubbish (could be that the environment is rubbish, or the OS...). So i don't use that under Win32 either. Just wanted to mention those, thanks a lot, best regards, Claudius Thomas __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Secure Messaging Non-Delivery Report: [openssl.org #481] (0.9.7 on Win32) openssl ca crashes when exiting...
## Created by TFS ## When [EMAIL PROTECTED] sent e-mail to [EMAIL PROTECTED] (1/1/2) Explanation: You have sent an e-mail that has been denied do to the Content Type in this message. # __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: certification path validation suite
Dr. Stephen Henson writes: There are many certs in production use with policy extensions; the VeriSign end entity certs should provide many examples. Yes I know about those. Is there any documentation however on what the VeriSign policy extensions actually *mean*. The last time I looked it had a I have assumed that they are identifiers tied to the CPS. The cps url in one of the VeriSign end entity certs I have (the one shadowed in the document) has this: 7.1.6 Certificate Policy Object Identifier Where the Certificate Policies extension is used, Certificates contain the object identifier for the Certificate Policy corresponding to the appropriate Class of Certificate as set forth in CPS [section] 1.2. For legacy Certificates issued prior to the publication of the VTN CP which include the Certificate Policies extension, Certificates refer to the VeriSign CPS. This section 1.2 says: 1.2 Identification This document is the VeriSign Certification Practice Statement. VTN Certificates contain object identifier values corresponding to the applicable VTN Class of Certificate. Therefore, VeriSign has not assigned this CPS an object identifier value. Certificate Policy Object Identifiers are used in accordance with CPS [section] 7.1.6. So at least in the case of verisign the oid probably refers to a particular cp, while the url points to a cps. Don't know where the master list of policies would be. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #408] Segmentation Fault (openssl-0.9.7-beta6)
Sorry, just noticed the problem has been discussed here already. I'm having exactly the same problem with 0.9.7/Win32 and i found several other notes about that on the web. Problem seems to be somwhere in free(void * 0x5000) line 956 + 11 bytes CRYPTO_free(void * 0x5000) line 364 + 10 bytes ASN1_STRING_free(asn1_string_st * 0x) line 390 + 21 bytes (see my own ticket 481 where i included complete info/stack trace) regards, Claudius Thomas ([EMAIL PROTECTED]) __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #482] man page bug for BN_prime_check(s)
Missing the s in BN_prime_check in man BN_generate_prime Both BN_is_prime() and BN_is_prime_fasttest() perform a Miller-Rabin probabilistic primality test with checks iterations. If checks == BN_prime_check, a number of iterations is used that yields a false positive rate of at most 2^-80 for random input. the actual check should be If checks == BN_prime_checks, a number of see the missing s :-) thanks, Cameron __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #408] Segmentation Fault (openssl-0.9.7-beta6)
[guest - Tue Jan 28 14:07:57 2003]: Sorry, just noticed the problem has been discussed here already. I'm having exactly the same problem with 0.9.7/Win32 and i found several other notes about that on the web. Problem seems to be somwhere in free(void * 0x5000) line 956 + 11 bytes CRYPTO_free(void * 0x5000) line 364 + 10 bytes ASN1_STRING_free(asn1_string_st * 0x) line 390 + 21 bytes (see my own ticket 481 where i included complete info/stack trace) What about the 0.9.7a snapshots? The bug is present in 0.9.7 release. A symptom of the original bug was that some subsequent call to free() would crash, though which one varied depending on the systems malloc behaviour. Assuming you still get this with the 0.9.7a snapshot... Your test command seems to include an external extension file, do you still get the problem if you don't include the -extfile command line switch. If not can you upload that file as well? Steve. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #408] Segmentation Fault (openssl-0.9.7-beta6)
Just got openssl-0.9.7-stable-SNAP-20030127.tar.gz and tried again. Seems like problem is fixed :-) thanks a lot, best regards, Claudius Thomas([EMAIL PROTECTED]) __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]